The vulnerability is a Cross‑Site Request Forgery that allows an attacker to inject and persist malicious script in the Web Push plugin for WordPress. An authenticated user who is tricked into visiting a crafted URL can cause the plugin to store attacker‑controlled JavaScript in the database. When the user later loads the site, the stored script executes in the victim’s browser, enabling theft of session cookies, defacement, or execution of arbitrary code within the user’s context. The weakness is identified as CWE‑352, indicating that insufficient verification of request authenticity permits the injection.

WordPress sites that use the Marco Castelluccio Web Push plugin version 1.4.0 or earlier are affected. All installations employing those versions should review their plugin version and consider upgrading if an update is available.

The CVSS score of 7.1 indicates moderate‑to‑high severity. The EPSS score of <1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw enables persistent XSS through a crafted request, an attacker who can lure an authenticated user to a malicious link can cause the vulnerable plugin to store and later serve the malicious script. The exploit requires that the victim is logged in and that the plugin accepts an unsanitized payload, conditions that are often realistic in a corporate environment with multiple administrators.